Pptp l2tp Tutorial

Rick Frey Consulting www.rickfreyconsulting.com PPTP & L2TP

PPTP

2

www.rickfreyconsulting.com

PPTP as Client VPN

3

www.rickfreyconsulting.com

PPTP as Site to Site VPN

4

www.rickfreyconsulting.com

Point to Point Tunneling Protocol PPTP specification was published in July 1999 as RFC 2637 PPTP has not been proposed nor ratified as a standard by the Internet Engineering Task Force. PPTP uses a control channel over TCP and a GRE tunnel to encapsulate PPP packets.

 





 

 5

A PPTP tunnel is initiated by communication to the peer on TCP port 1723. This TCP connection is then used to initiate and manage a second GRE tunnel to the same peer. PPTP uses IP protocol number 47 with non GRE standard packets The GRE tunnel is used to carry encapsulated PPP packets. www.rickfreyconsulting.com

PPTP & MikroTik PPTP can be bridged using the BCP (Bridging Control Protocol)





Bridging of PPTP tunnels only works between ROS devices

ROS supports MLPPP over PPTP You must use the PPTP Firewall Service Port (NAT Helpers) to connect to/from your private LAN ROS will always choose the highest security option when multiple authentication methods are selected



 

6

www.rickfreyconsulting.com

PPTP & Microsoft Windows PPTP was the first VPN protocol that was supported by Microsoft Dial-up Networking All releases of Microsoft Windows since Windows 95 OSR2 are bundled with a PPTP client, although they are limited to only 2 concurrent outbound connections. The Microsoft implementation uses single DES in the MSCHAP authentication protocol Windows Vista and later support the use of PEAP (Protected EAP) with PPTP Windows Vista removed support for using the MSCHAPv1 protocol to authenticate remote access connections.

 



 

7

www.rickfreyconsulting.com

PPTP & Microsoft Windows The authentication methods that will work between current Windows OSs and MikroTik are:



 



PAP (Unencrypted Passwords) CHAP (Challenge Handshake Authentication Protocol) MSCHAPv2 (Microsoft CHAP)

Proxy-ARP has to be enabled on the router (LAN interface/ never the WAN interface)



8

www.rickfreyconsulting.com

PPTP Server Setup

9

www.rickfreyconsulting.com

PPTP Server Settings     

10

Enabled or Disabled Max Maximum Transmission Unit Max Receive Unit Max Received Reconstructed Unit How long to wait before sending packets to the client to confirm they are still connected

www.rickfreyconsulting.com

PPTP Server Settings  

11

Profile to be used Authentication Method

www.rickfreyconsulting.com

PPTP Client

12

www.rickfreyconsulting.com

Creating a New PPTP Client

13

www.rickfreyconsulting.com

PPTP Client Settings 

  





14

Administrative Name Tunnel Type Layer 2 Max Transmission Unit Max Packet size the client can send without fragmentation Max Receive Unit – Max the client can receive without fragmentation Multilink Maximum Received Reconstructed Unit – Used with MLPPP

www.rickfreyconsulting.com

PPTP Client Settings     







15

IP address of server Username Password Profile to be used How long to keep the connection alive before timing out When selected, the tunnel will only establish when traffic is generated – Do not use Whether to add a default route (all traffic goes through tunnel) & distance Authentication Methods Allowed

www.rickfreyconsulting.com

PPTP Client Settings 

16

Status Tab provides connection info

www.rickfreyconsulting.com

PPTP Client Settings 

17

Traffic Tab provide details on the traffic going through the tunnel

www.rickfreyconsulting.com

PPTP LAB  





1) Pair up with another student and decide who will be the server and who will be the client 2) Connect an Ethernet cable between you and assign the interfaces a /30 address (Remember to remove the interfaces from any bridges or switch groups) 3) Connect your PPTP tunnel and verify that you can ping both sides of the tunnel IP address 4) Switch roles and create a new tunnel.

18

www.rickfreyconsulting.com

PPTP With RADIUS

19

www.rickfreyconsulting.com

RADIUS Settings

20

www.rickfreyconsulting.com

RADIUS Settings  



21

Which service is going to talk to the RADIUS server Caller ID (Not usually required) - PPPoE service name, PPTP server's IP address, L2TP server's IP address. Windows Domain (Not usually required)

www.rickfreyconsulting.com

RADIUS Settings 

 



22

Address of RADIUS Server (Use 127.0.0.1 when Usermanager is running on the same router) Shared secret with RADIUS server Standard RADIUS ports How long to wait for a reply before it times out. Set to seconds, not milliseconds

www.rickfreyconsulting.com

RADIUS Settings 





23

Whether or not this configuration is for a backup RADIUS server Realm – also known as user domain. Used by some ISP’s RADIUS servers Source address of packets to be sent to the RADIUS server. (Not usually used)

www.rickfreyconsulting.com

RADIUS Settings 

24

The Status Tab is where you can see if the service to be used is sending info to the RADIUS server and whether or not the RADIUS server is replying to those requests

www.rickfreyconsulting.com

Usermanager

Default Login is admin No password

25

www.rickfreyconsulting.com

Userman Settings – Step 1

The RADIUS server has to know which routers (NAS Nodes) its talking to

26

www.rickfreyconsulting.com

Userman Settings – Step 2

Create a New Profile that is going to be applied to the user

27

www.rickfreyconsulting.com

Userman Settings – Step 2 (Cont)

Set the Validity Set the Start to “Now” Then Save the Profile

28

www.rickfreyconsulting.com

Userman Settings – Step 3

Set the Userman & Password Then Save the User

29

Notice that the Actual profile does not show up at first

www.rickfreyconsulting.com

Userman Settings – Step 4

Log out and then log back in

30

www.rickfreyconsulting.com

Userman Settings

Verify the user has the correct profile

31

www.rickfreyconsulting.com

PPTP Client Settings

• Delete any secrets from the router and restart the PPTP Client • When the client has reconnected, verify that that there is an “R” flag for RADIUS

32

www.rickfreyconsulting.com

PPTP & RADIUS Lab 1)

2)

33

With the same partner from the previous lab, recreate your tunnels using RADIUS. Make sure your local databases are clear of any secrets. Switch roles and verify that both of you are able to create the tunnel client and set up the server/ RADIUS

www.rickfreyconsulting.com

Adding Dynamic Queues 

Dynamically created queues can be added by utilizing the Limitations feature in the Usermanager Profile

34

www.rickfreyconsulting.com

Adding Dynamic Queues

Remember to add the limit and save the profile

35

www.rickfreyconsulting.com

Adding Dynamic Queues

New Limitation Set by RADIUS Client has to reconnect before it will be created

36

www.rickfreyconsulting.com

Dynamic Queue Lab 



Set a new limitation of 1 Meg up and 1 Med down and test with the bandwidth test tool. Remember to test to IP address of the tunnel and not the IP address of the router. Swap roles and test the other direction.

37

www.rickfreyconsulting.com

L2TP

38

www.rickfreyconsulting.com

L2TP as Client VPN

39

www.rickfreyconsulting.com

L2TP as Site to Site VPN

40

www.rickfreyconsulting.com

L2TP  



Published in 1999 as proposed standard RFC 2661. A new version of this protocol, L2TPv3, appeared as proposed standard RFC 3931 in 2005. MikroTik implements most of this standard. (L2TPv3 adds security.) UDP port 1701 is used only for link establishment, tunnel traffic will use any available UDP port (which may or may not be 1701) 



This allows L2TP tunnels to traverse most firewalls

L2TP can be used by some verisionso Microsoft Windows, but is difficult to setup without IPSEC. Other tunnels are recommends for this application. 41

www.rickfreyconsulting.com

L2TP in MikroTik  

Functionally, an L2TP is identically to the PPTP tunnel; exact same setup L2TP tunnels can be encrypted when both the server and client are MikroTik routers. 

42

There can be limited connectivity with other OSs, but the results may be unpredictable.

www.rickfreyconsulting.com

L2TP Lab   



Repeats the step of the PPTP lab with a L2TP connection. Leave the PPTP tunnel functional Take turns with your partner creating a L2TP client and connecting to the server through RADIUS. Hint:You are going to have to modify the User in Usermanager for both tunnels to become active.

43

www.rickfreyconsulting.com

L2TP Lab

This is what it will look like when you are done.

44

www.rickfreyconsulting.com

L2TP & IPSEC 





45

Starting with ROS 6.16 there is a “1 button L2TP/ IPSEC” server setup This preconfigures the L2TP server and IPSEC to used a “Road Warrior” configuration that is compatible with most vendors Will work with RADIUS

www.rickfreyconsulting.com

L2TP & IPSEC

46

www.rickfreyconsulting.com

L2TP & IPSEC LAB 

Take turns with your partner creating a L2TP/IPSEC client and connecting to the server through RADIUS.  

47

Observe the L2TP interface and status Observe the IPSEC settings that are dynamically created

www.rickfreyconsulting.com

Tunnel Comparaison Tunnel

Introduced

Layer

Port

Port can be changed

Default MTU

Authentication Protocols

Encryption Protocols

Encryption Level

Clients can call home

Bridging or BCP Supported

GRE

Oct 1994

3

N/A

No

1476

N/A

N/A

None

No

No

IPIP

Oct 1996

3

N/A

No

1500

N/A

N/A

None

No

No

VLAN

1998

2

N/A

No

1500

N/A

N/A

None

N/A

Yes

IPSEC

Nov 1998

3

UDP 500

Yes

N/A

None MD5 SHA1 SHA256 SHA512

None DES, 3DES, AES, Blowfish, Twofish, Camellia

None, 64bits, 128bit, 192bit, 256bit

Yes

No

PPPoE

Feb 1999

2

N/A

N/A

1480

PAP CHAP MSCHAP v1 MSCHAP v2

None MPPE 40bit MPPE 128bit

None or 40bit or 128bit

N/A

Yes

PPtP

July 1999

3

TCP 1723

No

1450

PAP CHAP MSCHAP v1 MSCHAP v2

None MPPE 40bit MPPE 128bit

None or 40bit or 128bit

Yes

Yes

L2TP

Aug 1999

3

UDP 1701

No

1450

PAP CHAP MSCHAP v1 MSCHAP v2

None MPPE 40bit MPPE 128bit

None or 40bit or 128bit

Yes

Yes

None Blowfish 128 AES 128 AES 192 AES 256

None 128bit, 192bit, or 256bit

Yes

Yes

OVPN

May 2001

3

TCP 1194

Yes

1500

None MD5 SHA1

EOIP

Sept 2002

3

N/A

No

1500

N/A

N/A

None

No

Yes

SSTP

Jan 2007

3

TCP 443

Yes

1500

PAP CHAP MSCHAP v1 MSCHAP v2 TLS 1.0

None MPPE 40bit MPPE 128bit TLS 1.0

None or 40bit or 128bit or 256bit

Yes

Yes

48

www.rickfreyconsulting.com

Tunnel Comparaison of Loss

Tunnel

Initial Bandwidth

With Tunnel

% of Loss

GRE

691M RX

195M RX

71.80%

IPIP

691M RX

204M RX

70.50%

VLAN

691M RX

582M RX

15.80%

IPSEC

691M RX

667M RX

3.50%

PPPoE

691M RX

94M RX

86.40%

PPtP

691M RX

61M RX

91.20%

L2TP

691M RX

59M RX

91.50%

OVPN

691M RX

29M RX

95.90%

EOIP

691M RX

190M RX

72.50%

SSTP

691M RX

29M RX

95.80%

49

www.rickfreyconsulting.com

End of Module

50

www.rickfreyconsulting.com